Hi there,
We have an internal document where we condensed both of these information sources, but it's written in German. If you (Fortinet) like, I can translate it for you and you may publish it as KB?
Some of the main things you have to dig a while before finding it out by yourself:
Most common functions:
- toDateTime($_year, $_month, $_day, $_time) converts single values of a time to a datetime object necessary for events
- combineMsgId($_var1, $_var2, "eigener Text", $hostVLAN, ...) combines strings
- convertStrToIntIpProto($_string) converts a string to an integer that is usually needed for ip things; there is also: convertStrToIntIpPort().
- add($_number1, $_number2), divide, scale for math
- replaceStringByRegex($_input, "regex", "replacment String") for replacing strings
- getEventSeverityFromSyslogPriority($_syslogPrio) converts the syslog priority within the brackets at the beginning of the message to the FSM priority (eventSeverity attribute)
Global RegEx patterns:
- You can find them at /opt/phoenix/config/xml/GeneralPatternDefinitions.xml (which will be overwritten when updating!). Most interesting ones:
- gPatSyslogPRI takes the priortiy out of a syslog message (like <134>)
- gPatMesgBody or gPatMesgBodyMin takes the end of the message
- gPatSyslogNGHeader takes a standard-formed time out of the syslog message (unfortunately, most syslog message have their custom time format)
- gPatMon/gPatMonNum/gPatDay/gPatTime/gPatYear/gPatMSec/gPatTimeMSec/gPatTimeZone/gPatWeekday finds parts of dates/times
- gPatIpV4Dot/gPatIpAddr (IPv6)/gPatIpPort/gPatProto for network information
- gPatFqdn/gPatWord/gPatWord/gPatStr/gPatHostName/gPatStrComma/gPatStrLeftParen/gPatStrRightSB/gPatInt/gPatSpace/gPatStrEndColon/gPatStrSQ (single quotes)/gPatDQ (double quotes)/gPatSentence
Best,
Christian
FCX #003451 | Fortinet Advanced Partner
